Heartbleed vulnerability SPA 525G2 / and others

willplaice · ‎04-14-2014

Has anyone tested these phones to see if they are vulnerable, i don't see any Small business equipment on Cisco's main article on this.

many thanks, Will

Dan Lukes · ‎04-17-2014

Although Heartbleed is most dangerous bug in the past year, I have no idea how it can affect a SPA5xx phone unless it's in danger even without Heartbleed.

Phone must not be accessible for communication from untrusted sources at all, even without Heartbleed. And trusted partners will not Heartbleeds against you. And even if they will violate the trust, they can catch only information they have already.

Or I missed something ?

In short, Yes, there is no clear declaration related to the issue. But it seems that Heartbleed is not so important issue in this particular environment.

There is open, unauthenticated, API that allow remote control of your phone. So who need Heartbleed to attack you ?

Joao Oliveira · ‎04-25-2014

Clients are also exposed if an attacker uses Man-in-the-Middle strategy.

http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/

It can make a phone getting configuration using HTTPs, using SRTP or SIP over TLS, to bleed memory banks, that could bleed:

SIP Credentials
Admin Credentials

If Cisco provides the version of OpenSSL that has been used to compile the Firmware, it will allow Administrators of SPA Phones to know if the phones are vulnerable.

Dan Lukes · ‎04-25-2014

Although I'm curious as well, I would like to repeat that the answer to this question is not so important.

You have your network either secure and no untrusted computer can speak to your phones, then no MITM attack is possible (as there is no untrusted computer to become MITM), so the Heardbleed is not severe issue to you.

Or you have your network designed insecurely, untrusted computer can speak to your phone, then you are in risk of bill fraud even without Heartbleed.

Joao Oliveira · ‎04-25-2014

I can tell that the Cisco SPA Phones are delivered as part of a hosted solution. Phones are delivered into customer network, which is not under the operator control. Its not possible to control the customer network. However, as a hosted service, we should ensure that the solution follows the security best practices.

If a vulnerability is known, it wouldn't be wise not do anything about it.

Dan Lukes · ‎04-26-2014

... despite it is not severe, in the particular case.

I agree, I will welcome clear statement related to it from Cisco, and/or patched firmware if necessary. At least it may calm down the customer's panic a lot.

I'm just saying it's not so big problem it's not available yet. Just explain your customer, that the Hearbleed is not so harmful in properly designed (=closed) VoIP network. As you claimed, customer network is not under your control, so it's customer responsibility to have appropriate configuration of voice LAN. If has nothing to do with Heartbleed.

Joao Oliveira · ‎05-01-2014

I have received a response from Cisco stating that the Firmware has been used a pre-1.0.0 version of OpenSSL. This means that the Cisco SPA Phones are not vulnerable to the HeartBleed.

Joao Oliveira · ‎05-01-2014